b'                     UNITED STATES DEPARTMENT OF EDUCATION\n                                          OFFICE OF INSPECTOR GENERAL\n\n                                                      Information Technology Audits and Computer Crime Investigations\n\n\nFINAL MANAGEMENT INFORMATION REPORT\n\nDATE:           September 30, 2013\n\nTO:            James W. Runcie\n               Chief Operating Officer\n               Federal Student Aid\n\nFROM:          Charles E. Coe, Jr. //s//\n               Assistant Inspector General\n               Information Technology Audits and Computer Crime Investigations\n\nSUBJECT: Final Management Information Report\n         PIN Security Vulnerabilities\n         Control No. ED-OIG/X21L0002 (12-110380)\n\nThe purpose of this Management Information Report is to inform Federal Student Aid (FSA) of\nour concerns about security vulnerabilities associated with the Personal Identification Number\n(PIN) Registration System (PIN system) that the Office of Inspector General (OIG) has\nidentified through various investigations and to make recommendations and suggestions for\naddressing these vulnerabilities.\n\nIn preparing this report, the OIG reviewed FSA\xe2\x80\x99s response to the recommendation in the OIG\nInvestigative Program Advisory Report (IPAR) Distance Education Fraud Rings\n(L42L0001)(September 26, 2011) regarding the PIN system.1 We also reviewed an FSA\nPowerPoint outlining a general plan to replace the PIN system, although it did not identify any\nidentity verification and electronic authentication controls to address security vulnerabilities.2\nThis Management Information Report recommends changes to the current PIN system and\nrecommends controls FSA should incorporate into the replacement system to address PIN\nrecovery mechanism vulnerabilities. This report also provides suggestions to limit the risks\nassociated with students using third parties in the student financial assistance process.\n\nThe OIG learned from FSA\xe2\x80\x99s September 16, 2013, response to our draft of this report that FSA is\nin the process of re-engineering and replacing the PIN system with the Non-privileged Access\n1\n  The Distance Education Fraud Rings IPAR alerted FSA and the Office of Postsecondary Education of the OIG\xe2\x80\x99s\nfindings from investigations of fraud involving distance education programs and made recommendations to mitigate\nthe risk of fraud in such programs. The IPAR recommended that the Department implement controls in the PIN\ndelivery system to identify and prevent the issuance of multiple PINs to the same email address without\nconfirmation of identity.\n2\n  Identity verification (also known as identity \xe2\x80\x9cproofing\xe2\x80\x9d) is when a person\xe2\x80\x99s identity is verified for the purpose of\nissuing information system credentials. Electronic authentication is the process of establishing confidence in the\nuser identity through the use of information system credentials.\n\n\n\n\n                      The Department of Education\'s mission is to promote student achievement and preparation\n                      for global competitiveness by fostering educational excellence and ensuring equal access.\n\x0cFinal Management Information Report\nED-OIG/X21L0002                                                                   Page |2\n\nSystem (NPAS), which FSA stated will solve the problems that we have identified in our report\nand will provide additional security improvements. FSA has not provided the OIG with any\nsupporting documentation related to NPAS beyond what was explained in FSA\xe2\x80\x99s response to our\ndraft report; nor has it finalized the contract for the development of NPAS. The OIG has not\nvalidated FSA\xe2\x80\x99s plans for NPAS.\n\nIn addition, FSA did not agree with our suggestion to enable students to permit companies\nproviding loan-related services read-only access to relevant areas of their accounts that do not\ncontain sensitive personal information. FSA stated that the deployment of the MyStudentData\nDownload permits students to download a file that includes their loan and grant information and\nprovide that to third parties if they choose. However, we do not know whether MyStudentData\nDownload will reduce the incidence of PIN sharing in light of its limitations, but we believe that\nallowing third parties limited, read-only access to student accounts would reduce the problem of\nPIN sharing and unfettered third party access to personal data.\n\nFSA did not agree with our suggestion to consider creating preparer-specific access accounts that\nwould allow a student to authorize a preparer to access and modify certain sections of the\nFAFSA because it considers such access to an applicant\xe2\x80\x99s file/data would compromise the\nintegrity of the Title IV student aid application process. According to FSA, the extensive\n\xe2\x80\x9csmart-logic\xe2\x80\x9d of the FAFSA on the Web product maintains the applicant\xe2\x80\x99s control of their\npersonal data and FAFSA submissions, and MyStudentData Download provides sufficient third\nparty access needed for counseling and other advisory activities. We do not believe that\nMyStudentData Download will reduce this problem because it does not provide data that assists\nthird parties who help students complete their applications. In addition, the OIG does not know\nhow \xe2\x80\x9csmart logic,\xe2\x80\x9d in which FAFSA on the Web skips over questions that do not apply to the\nstudent or prompts the student for customized follow-up questions, will prevent a student who\nhas already chosen to use a preparer from sharing their PIN with the preparer or allowing the\npreparer to manage the student\xe2\x80\x99s account.\n\n                                        BACKGROUND\n\nPersonal Identification Number\nThe FSA PIN is a four-digit number that is used in combination with the user\xe2\x80\x99s Social Security\nnumber (SSN), name, and date of birth (DOB). The PIN serves as an electronic signature and\nprovides access to sensitive personal records on FSA Web sites such as fafsa.ed.gov and\npin.ed.gov. The PIN allows students and their parents the ability to manage their FSA accounts,\nmanage their Free Application for Federal Student Aid (FAFSA), and electronically sign the\nFAFSA and other related documents. FSA requires each person accessing these sites to apply\nfor his or her own PIN. FSA is responsible for securing and maintaining the PIN and FAFSA\nWeb sites, applications, and transactions.\n\nSensitive Personal Information Stored in FSA Documents and Web Sites\nAs part of the process of applying for a PIN or completing the FAFSA, users provide personally\nidentifiable and financial information. The PIN application collects and contains sensitive\npersonal information including name, SSN, DOB, email address, physical address, challenge\nquestion, and challenge answer.\n\x0cFinal Management Information Report\nED-OIG/X21L0002                                                                                          Page |3\n\n\nThe Student Aid Report, which a user may access using a PIN, contains sensitive personal\ninformation that was provided on the FAFSA such as name, SSN, DOB, email address,\npermanent address, sensitive financial and income information, marital status, high school,\nchoice of post-secondary school, personal identifiers for parents and step-parents, and financial\ninformation and marital status for parents and step-parents.\n\nDuring a person\xe2\x80\x99s FAFSA and PIN application process, (b)(7)(E)\n(b)(7)(E)                                                          The Central Processing\nSystem selects certain FAFSA applicants who must verify their identity and certify that they\nwill use their financial aid for educational purposes.4 (b)(7)(E)\n(b)(7)(E)\nFSA\xe2\x80\x99s Plans for the PIN Replacement System\nIn response to the OIG\xe2\x80\x99s Distance Education Fraud Rings IPAR, FSA documented PIN (b)(7)(E)\nvulnerabilities in a PowerPoint entitled, \xe2\x80\x9cShared Use of the PIN,\xe2\x80\x9d dated June 21, 2012.\n(b)(7)(E)\n\n\n\nIn April 2013, the OIG requested that the FSA Information System Security Officer provide us\nwith an update on FSA\xe2\x80\x99s planned electronic verification and identity verification controls to\naddress vulnerabilities identified in the OIG\xe2\x80\x99s Distance Education Fraud Rings IPAR and FSA\xe2\x80\x99s\nPowerPoint on \xe2\x80\x9cShared Use of the PIN.\xe2\x80\x9d\n\nThe FSA Information System Security Officer stated that FSA has been researching an internally\ndeveloped solution for the PIN replacement system and was planning to create a single sign-on\nsolution for all FSA Web sites.5 FSA provided us a PowerPoint regarding the plans for the PIN\nreplacement system.6 The PowerPoint stated that the replacement system will help modernize\nthe process of assigning a PIN to eligible non-privileged users (borrowers), streamline\nauthentication for the systems that non-privileged users access, and decrease the security and\ncompliance risks associated with using personally identifiable information for access to FSA\nsystems. However, the PowerPoint did not describe specific identity verification or electronic\nauthentication controls for non-privileged user access to FSA systems.\n\nWe last requested specific information on the planned controls FSA will include in the PIN\nreplacement system in May 2013, but FSA did not provide us this information at that time or\nsince then. In its response to our draft report, FSA described how the planned NPAS system will\n\n3\n  The Central Processing System is the automated system that processes all applications for Federal student aid,\n\ncalculates financial aid eligibility, and notifies students and educational institutions of the results of the eligibility \n\ncalculation. \n\n4\n  The student accomplishes this verification by presenting identification to a notary public or school official and\n\nsigning an Identity and Statement of Education Purpose. \n\n5\n  A single sign-on will allow users to access all FSA websites with one user ID and password. \n\n6\n  The PowerPoint is entitled, \xe2\x80\x9cPIN Re-engineering and Replacement (Enterprise Identity Management Services \n\n(EIMS) Phase 2).\xe2\x80\x9d\n\n\x0cFinal Management Information Report\nED-OIG/X21L0002                                                                                Page |4\n\naddress our recommendations. We reviewed the explanation FSA included in its response to our\ndraft report, but have not received supporting documentation related to the plan and FSA has not\nyet finalized a contract for the development of the system.\n\n                       PIN RECOVERY MECHANISM NOT ADEQUATE\n\nA March 2004 OIG audit of the Implementation of Electronic Signatures for Select Federal\nStudent Aid Transactions (ED-OIG A11D0002) (b)(7)(E)\n                                                                                  Since this audit\nwas issued, the OIG has investigated several cases of unauthorized access to sensitive personal\ninformation contained in the PIN system and found that vulnerabilities continue to exist in the\nPIN system.\n\n(b)(7)(E)\n\n\n\n\nGuidance and Best Practices on Authentication and Password Management\nSince 2001, the Federal government and financial institutions have issued the following guidance\nand best practices on authentication and password management:\n\n    \xef\x82\xb7\t If the user does not supply challenge questions but rather selects questions from a list\n       provided by the registration site, the user should select from a set of at least five\n       questions and be required to answer three questions to authenticate.8\n    \xef\x82\xb7\t Sophisticated challenge questions provide better security. Examples include answering\n       questions that require specific user knowledge (such as the exact amount of the user\xe2\x80\x99s\n       monthly mortgage payment, selecting a familiar address from a list of addresses, or\n       identifying a user-selected image from several images).9\n    \xef\x82\xb7\t Adding a \xe2\x80\x9cLast Login\xe2\x80\x9d feature to display a user\xe2\x80\x99s last login and number of failed login\n       attempts each time they successfully log in; if the last login date and time displayed does\n       not coincide with the date and time that the user last logged into his/her account, the user\n       will be alerted to a possible compromise of his or her PIN.10\n\n\n\n7\n  The PIN account includes information such as the account holder\xe2\x80\x99s email address, phone number, and mailing\n\naddress.\n\n8\n  National Institute of Standards and Technology (NIST), Special Publication (SP) 800-63-1, \xe2\x80\x9cElectronic \n\nAuthentication Guideline,\xe2\x80\x9d (Dec. 2011). \n\n9\n  FIL-50-2011 and Federal Financial Institutions Examination Council, \xe2\x80\x9cSupplement to Authentication in an Internet \n\nBanking Environment,\xe2\x80\x9d (October 2005).\n\n10\n   National Institute of Standards and Technology, Special Publication 800-63-1. \n\n\x0cFinal Management Information Report\nED-OIG/X21L0002                                                                               Page |5\n\n     \xef\x82\xb7\t Using \xe2\x80\x9cout-of-band authentication,\xe2\x80\x9d which is a process to authenticate the identity of the\n        person originating a transaction through a channel different from the one that person used\n        to initiate the transaction. Methods of out-of-band authentication include sending the\n        user an email or text message that has information they must use to log in.11\n\n(b)(7)(E)\n\nPIN Recovery Mechanism Can Be Exploited\n(b)(7)(E)\n\n\n\n\n(b)(7)(E)\n\n\n\n(b)(7)(E)\n\n                                                                             The challenge\nquestions range in distinctiveness and in how easy or difficult the answers would be for an\nunauthorized user to guess. The three most popular challenge questions are listed in the table\nbelow.\n\nTable: Three Most Popular PIN Challenge Questions\n     PIN Challenge Question        Percentage of People Choosing This Question\nWhat is your mother\xe2\x80\x99s maiden name?                     30%\nWhat city were you born in?                            29%\nWhat is your favorite color?                           13%\n\nUnauthorized User Can (b)(7)(E)\nThe OIG is investigating a case where an unauthorized user gained control of another user\xe2\x80\x99s PIN\n(b)(7)(E)\n\n\n(b)(7)(E)\n\n\n11\n  Federal Financial Institutions Examination Council, \xe2\x80\x9cSupplement to Authentication in an Internet Banking\nEnvironment,\xe2\x80\x9d (October 2005).\n\x0cFinal Management Information Report\nED-OIG/X21L0002                                                                   Page |6\n\n\nImpact\n(b)(7)(E)\n\n\n\n\nAfter obtaining a person\xe2\x80\x99s PIN, an unauthorized user can view or change the owner\xe2\x80\x99s personal\ninformation on the PIN Web site. In addition, an unauthorized user can use the PIN on the\nFAFSA Web site to view the student\xe2\x80\x99s sensitive personal information contained in the Student\nAid Report or to submit a new (b)(7)(E)\n\nUnauthorized access may leave the PIN owner susceptible to loss of financial aid, unwanted\ncontact, potential financial harm due to the disclosure of sensitive information, or other harmful\nactivities.\n\n                                    RECOMMENDATIONS\n\nThe OIG recommends that FSA implement the following improvements to the PIN recovery\nmechanism to ensure personal information stored on FSA Web sites is adequately protected:\n   (b)(7)(E)\n\n\n\n\nFSA Response\nIn response to our recommendations, FSA stated:\n\n   (b)(7)(E)\n\x0cFinal Management Information Report\nED-OIG/X21L0002                                                                                Page |7\n\n     (b)(7)(E)\n\n\n\n\n     5. FSA will research and consider the OIG-provided options for (b)(7)(E)\n\nOIG Response\nIt appears that FSA\xe2\x80\x99s planned actions for recommendations 1, 2, 3, and 5 will address the\nvulnerabilities identified in this report. We found FSA\xe2\x80\x99s response to recommendation 4 partially\nnon-responsive because it only addresses new accounts and not re-enabled accounts. (b)(7)(E)\n(b)(7)(E)\n\nDuring the course of our review, we requested specific information on the controls planned for\nthe PIN replacement system, which we noted in the Draft Management Information Report\nprovided to FSA on August 27, 2013. Because we just learned about NPAS in FSA\xe2\x80\x99s September\n16, 2013, response to our draft report and FSA did not provide supporting documentation beyond\nwhat was explained in its response to our draft report, we have not validated FSA\xe2\x80\x99s plan for\nNPAS implementation.\n\n              COMPANIES THAT REQUIRE PINs TO ACCESS FSA SYSTEMS\n\nAn OIG investigation found that students sharing their PINs with an Internet-based company\nproviding loan-related services to the students provided an opportunity for bad actors at the\ncompany to change and misuse the students\xe2\x80\x99 personal data. As a result of this investigation, the\nOIG researched this and other Internet-based companies that log into FSA systems using\nstudents\xe2\x80\x99 PINs. We found that students using the services of these companies type their PIN into\nthe company\xe2\x80\x99s Web site so the company can obtain information on the student\xe2\x80\x99s behalf.12 Using\nthis data, companies may help students understand and manage debt and provide information and\nassistance about loan repayment or consolidation options. The OIG is reporting our research\nregarding these companies to inform you of additional facts to consider when establishing and\nimplementing requirements for the single sign-on solution for FSA Web sites.\n\nFSA\xe2\x80\x99s Web site states, \xe2\x80\x9cYour PIN is used to sign legally binding documents electronically. It\nhas the same legal status as a written signature. Don\xe2\x80\x99t give your PIN to anyone\xe2\x80\x94not even to\nsomeone helping you fill out the FAFSA.\xe2\x80\x9d The PIN Web site states, \xe2\x80\x9cIf you receive a PIN, you\n\n12\n  In October 2012, the White House and the Department hosted an \xe2\x80\x9cEducation Datapalooza\xe2\x80\x9d that included a\ndiscussion of the \xe2\x80\x9cMyData Initiative,\xe2\x80\x9d a collaboration between the Department and software developers to create a\nsimple mechanism for students to download their educational data, such as FAFSA data, to a provider\xe2\x80\x99s Web site.\nSee FSA\xe2\x80\x99s \xe2\x80\x9cMyData Initiative\xe2\x80\x9d Web site.\n\x0cFinal Management Information Report\nED-OIG/X21L0002                                                                   Page |8\n\nagree not to share it with anyone. Your PIN serves as your electronic signature and provides\naccess to your personal records, so you should never give your PIN to anyone, including\ncommercial services that offer to help you complete your FAFSA. Be sure to keep your PIN in a\nsafe place.\xe2\x80\x9d\n\nAlthough these Web sites state that the PIN should not be given to \xe2\x80\x9canyone,\xe2\x80\x9d it is possible that\nusers may not consider the prohibition against sharing a PIN to encompass when a student inputs\nthe PIN into a company\xe2\x80\x99s Web site so that it can retrieve data for the student. Given the\nAdministration\xe2\x80\x99s efforts to help Americans manage their student loan debt, FSA may consider\nthis type of service to be potentially beneficial to students; however, as mentioned above, sharing\nthe PIN presents a possibility that the student will be exploited.\n\nThe OIG suggests that FSA consider developing a capability to enable students to permit\ncompanies providing loan-related services read-only access to relevant areas of their accounts\nthat do not contain sensitive personal information. This would allow a student to grant these\ncompanies access to the student\xe2\x80\x99s loan-related information without the risk that a bad actor at the\ncompany could alter the student\xe2\x80\x99s record or obtain the student\xe2\x80\x99s sensitive personal information.\n\nFSA Response\nFSA did not agree with the OIG\xe2\x80\x99s suggestion but said that MyStudentData Download meets the\nOIG\xe2\x80\x99s objectives for this suggestion. The deployment of MyStudentData Download in\nNovember 2012 and April 2013 permits students to download a file that includes loan and grant\ninformation and provide that to third parties if they choose. FSA stated that it believes there is\nno reason to allow any party, other than the student, to have direct access (read-only or\notherwise) to the student\xe2\x80\x99s FSA information.\n\nOIG Response\nMyStudentData Download only provides a snapshot at a given point in time versus the constant,\nreal-time access that third parties have when students provide them their PINs. We do not know\nwhether MyStudentData will reduce the incidence of PIN sharing in light of its limitations, but\nwe believe that allowing third parties limited, read-only access to student accounts would reduce\nthe problem of PIN sharing and unfettered third party access to personal data.\n\n                    FAFSA PREPARERS MANAGING STUDENT PINs\n\nThe OIG previously reported in the Distance Education Fraud Rings IPAR that the Department\ndoes not verify that the user submitting a PIN request is the actual holder of the SSN. The IPAR\nalso noted that single email addresses were used to receive and manage PIN accounts for\nsometimes hundreds of individuals. In response to these findings, FSA analyzed PIN security\nvulnerabilities and noted that the PIN is prone to abuse by third parties supposedly operating on\nbehalf of financial aid recipients.\n\nOne such type of third party is FAFSA preparers. The OIG has found that between school years\n2008-2009 and 2011-2012, four percent of FAFSA applicants listed a preparer on their FAFSAs.\nFAFSA applicants are not required to pay a fee to apply for Federal student aid. However, the\nHigher Education Act of 1965, as amended (HEA), authorizes an applicant for Federal student\n\x0cFinal Management Information Report\nED-OIG/X21L0002                                                                                  Page |9\n\naid to use a paid preparer for consultative or preparation services for completing the FAFSA.\nOnly a preparer who is paid a fee is subject to the HEA\xe2\x80\x99s requirements; others who assist an\napplicant without charging a fee (e.g., guidance counselor, teacher, etc.) are not \xe2\x80\x9cpreparers\xe2\x80\x9d\nwithin the meaning of the HEA. Section 483(d)(2) of the HEA provides that when a preparer\nsubmits a FAFSA to the Department, the preparer must include on the FAFSA their name,\naddress or employer\xe2\x80\x99s address, SSN or Employer Identification Number (EIN), and\norganizational affiliation.\n\nDuring an OIG proactive investigative project, we reviewed 6 preparer organizations that helped\nat least 435 students apply to college, file their FAFSAs, and manage their student loans. The\nOIG found these student PIN accounts were managed using an email address owned by the\npreparer organization and (b)(7)(E)\n\n\n\nThe preparer organizations\xe2\x80\x99 respective Web sites indicated that, for a fee, they provide services\nsuch as applying for scholarships and grants, obtaining PINs, completing the FAFSA, managing\nstudent loans, and completing university-specific financial paperwork.13\n\nThe OIG noted the following for the 435 applicants:\n\n     \xef\x82\xb7\t 86 percent of the FAFSA or PIN applications were submitted from the same Internet\n        Protocol address as that of the preparer organization.\n     \xef\x82\xb7 80 percent of PIN applications showed the same PIN challenge question and 78 percent\n        chose the same challenge answer or established a challenge answer of: (b)(7)(E)\n\n     \xef\x82\xb7\t 99 percent of the FAFSA applicants associated with one particular preparer organization\n        listed the preparer organization\xe2\x80\x99s email address as the student\xe2\x80\x99s personal email address.\n        The majority of applicants associated with the other preparer organizations listed what\n        appeared to be the student\xe2\x80\x99s personal email address or did not list any email address on\n        the FAFSA.\n     \xef\x82\xb7\t 97 percent of the FAFSA applications did not list the preparer\xe2\x80\x99s name, EIN, or SSN. If\n        preparer organizations were paid for their services, those omissions violated the HEA.\n\nThus, preparer organizations may be submitting applications on behalf of students without\nidentifying themselves on the FAFSA, controlling student PIN accounts, and receiving electronic\ncorrespondence from FSA that is intended for the student.\n\nFor these 435 applicants,14 the OIG suggests that FSA require the students to change their PINs\nand reaffirm their agreements not to share their PINs with anyone, as well as verify the contact\ninformation in both the PIN system and the current year FAFSA with the student. The OIG also\n\n13\n   The OIG did not obtain student records maintained by the preparer organizations and therefore did not confirm\nwhether students paid the preparer organizations. The OIG also did not determine if the preparer organization\nestablished the PIN or if the student provided their PIN to the preparer organization, which then changed the PIN to\nthe last four digits of the student\xe2\x80\x99s SSN.\n14\n   The OIG will provide the list of students to FSA upon request.\n\x0cFinal Management Information Report\nED-OIG/X21L0002                                                                P a g e | 10\n\nsuggests FSA consider controls that would ensure preparers are identifying themselves on the\nFAFSA.\n\nTo reduce the temptation for students to share their PIN with preparers, the OIG suggests FSA\nconsider creating preparer-specific access accounts that would allow a student to authorize a\npreparer to access and modify certain sections of the FAFSA. FSA could set permissions that\nwould prevent preparer-specific accounts from viewing or changing the student\xe2\x80\x99s sensitive\npersonal information, email address, or postal address; signing the FAFSA for the student/parent;\nor submitting the FAFSA. If FSA created this type of account, it could also be used to\nautomatically link a preparer\xe2\x80\x99s SSN or EIN to the submitted FAFSA. FSA could also present\nstudents a message, prior to students granting the preparer access to their FAFSA, reminding\nthem that free assistance is available for completing and submitting a FAFSA. This may\nencourage some students to seek the free assistance rather than paying a company to assist them.\n\nFSA Response\nFSA did not agree with the OIG\xe2\x80\x99s suggestion and asserted that allowing third parties limited\naccess to an applicant\xe2\x80\x99s file/data would compromise the integrity of the student aid application\nprocess and be contrary to the intent of the HEA. According to FSA, the extensive \xe2\x80\x9csmart-logic\xe2\x80\x9d\nof the FAFSA on the Web product maintains the applicant\xe2\x80\x99s control of their personal data and\nFAFSA submissions, and MyStudentData Download provides sufficient third party access\nneeded for counseling and other advisory activities.\n\nOIG Response\nOur work has demonstrated that many students have disregarded the prohibition on sharing PINs\nand have provided third parties full access to their accounts, including access to their personal\ndata. We do not believe that MyStudentData Download will reduce this problem because it does\nnot provide data that assists third parties who help students complete their applications. In\naddition, the OIG does not know how \xe2\x80\x9csmart logic,\xe2\x80\x9d in which FAFSA on the Web skips over\nquestions that do not apply to the student or prompts the student for customized follow-up\nquestions, will prevent a student who has already chosen to use a preparer from sharing their PIN\nwith the preparer or allowing the preparer to manage the student\xe2\x80\x99s account. The OIG can\nprovide FSA with a list of preparer email addresses found in PIN and FAFSA applications to\nfurther demonstrate the extent of the problem of third party access to student accounts. Indeed,\nthe OIG re-checked student PIN accounts on September 25, 2013, and preparer email addresses\nwere still listed on most accounts identified from our work.\n\n                      OBJECTIVE, SCOPE, AND METHODOLOGY\n\nThe OIG recently investigated several cases of unauthorized access to personal information\ncontained in the PIN Registration System and the FAFSA Web site. The unauthorized users in\nthese cases were familiar with the student victim and included former spouses, estranged parents,\nand step-parents. The OIG is also investigating a case where an unauthorized user locked a\nvictim\xe2\x80\x99s PIN account by submitting three incorrect challenge answers, applied for a new PIN\nusing the victim\xe2\x80\x99s personal information, and submitted a fraudulent FAFSA using the victim\xe2\x80\x99s\npersonal identifiers.\n\x0cFinal Management Information Report\nED-OIG/X21L0002                                                                P a g e | 11\n\nOn January 31, 2011, the OIG started a proactive investigative project to identify behavior\nassociated with fraud rings and identified suspicious trends related to student PINs and FAFSA\npreparers that occurred between academic years 2008-2009 and 2011-2012. The scope of this\nproactive investigative project covered a limited dataset where we analyzed specific behavior for\npotential referral to Investigation Services.\n\nAs a result of an investigation, the OIG researched Internet-based companies that obtain student\ndata by logging into FSA systems using the student\xe2\x80\x99s PIN.\n\nThe OIG provided a draft of this report to FSA on August 27, 2013. FSA provided its response\nto the draft report, which was dated September 16, 2013. We are including FSA\xe2\x80\x99s response as an\nattachment to this report.\n\nWe conducted our work in accordance with the Council of the Inspectors General on Integrity\nand Efficiency Quality Standards for Inspection and Evaluation.\n\nIf you have any questions, please contact Mark A. Smith, Special Agent in Charge, Technology\nCrimes Division, at (202) 245-7019.\n\ncc:    Dawn Dawson, Audit Liaison for FSA\n\x0c                        UNITED STATES DEPARTMENT OF EDUCATION\n                                                Federal Student A id\n\n\n\n\nMEMORANDUM\n\nDATE: \t         September 16, 2013\n\nTO: \t          Charles E. Coe, Jr.\n               Assistant Inspector General\n               Information Technology Audits and Computer Crime Investigations\n               Office of Inspeclor General \t             ~\n\n               James w. Runcie              ~<&~!\nFROM: \t\n               Chief Operating Officer      I    r\'\n                                                                       1M c-..{\n\n\nSUBJECT: \t     Draft Management Information Report\n               PrN Security Vulnerabilities\n               Control No. ED-OIG/X2 I L0002 (12-110380)\n\nThank you for providing us with an opportunity to respond to the Office of Inspector General \' s\n(O IG) draft Management Info rmation Report entitled , " PI N Security Vulnerabilities." Your\nreport states that OIG reviewed Federal Student Aid \' s (FSA) responses to the recommendations\nin the 010 Investigative Program Advisory Report (IPAR) Distance Education Fraud Rings\n(L42LOOO l) dated September 26, 2011 regardi ng the (Personal Ident ification Number) PIN\nsystem and FSA\'s plans to replace the current PIN system.\n\nWe are pleased to have this opportunity to share the latest update on Ihi s project. FSA is in the\nprocess ofre.engineering and replacing PIN with a new system, the Non\xc2\xb7pri vi leged Access\nSystem (N PAS ). NPAS provides an identity and access management so lution , based on\nindustry best practices, that is adaptable to a changing business environment, while enabl ing\nimprovements in security and customer usability. In additio n, consiste nt with OIG\nrecommcndations, thi s so lution will solve the problems your office identified and provide\nadditional securit y improvements.\n\nThe N PAS is part of the Enterprise Identity Management Solution (ELM S) ini tiative. The ElMS\nobjecti ve is to "make provision ing and access management for fS A systems more efficient and\nsecure for both privileged users (FSA and its partners) and non-privileged users\n(studentslborrowers) through the implementation of enterprise Identity Li fecycle Management\nprocesses and technologies." ELMS is an umbrella init iative \\\\lith several strategicall y related\nprojects focused on achieving the ElMS object ivc.\n\nIn order 10 effectively develop NPAS , FSA collected and conso lidated requirements from\nvario us stakeholders, including OIG \'s past recolllmendations. For the last year, FSA focused on\n                                                  1\n\n\x0cthe planning, preparation and acquisition ofNPAS, including the procurcment for the services to\ndevelopment and implement the new system.\n\nThe new system will provide authori zed FSA non-privileged external users a better and more\nsecure capability for accessing FSA systems and data that:\n\n\xe2\x80\xa2 \t Does not require use of personal identification information (P II) during the login process and\n    also provides these users the full range of identity and access management services, e.g.,\n    accou nt creation; user provisioning and access; user se lf-care and othcr common capabi liti es;\n    is able to effecti vely exchange data wi th other external and internal FSA systems for\n    authentication and other purposes.\n\xe2\x80\xa2 \t Is able to read il y support future functionality enhancements such as eSignature appliances;\n    use of soft tokens, biometrics and other factors.\n\xe2\x80\xa2 \t Incorporates the use of strong and proven access controls, encryption , sec ure transmissions,\n    and other technology advances, so all users are provided end -to-end protection of data, from\n    entry source; white traversing the internet or intranets; and wi thin data storage repositories.\n\nAddi tionally, the new system wi ll also comply with the broader FSA Information Technology\nstandards, which require that the system:\n\n\xe2\x80\xa2 \t Provide ev idence (e.g. , Nat ional Institute of Standards and Technology (N IST) certificate for\n    the spec ific product and module) that the products it utili zes provide cryptographic\n    protections using modules that comply with Federal Informat ion Processi ng Standards (FIPS)\n    PUB 140-2 standards.\n\xe2\x80\xa2 \t Comply with the controls for access management contained in the current versions and\n    revisions of: NIST SP-800-53, Recommended Security Controls for Federal Information\n    Systems and Organizations; and NIST-SP-800-53A , Guide for Assessing Security Controls\n    in Federal Information Systellls and Organizations, Building Effective Security Assessment\n    Plans.\n\xe2\x80\xa2 \t Comply with the sec urity authorizat ion processes, as outlined in N ISTSpecial Pu blicat ion\n    NIST-SP-800-37, entitled Guide for Applying the Risk Management Framework to Federal\n    Information Systems: A Security Life Cycl e Approach, and supporting Office of Chief\n    Information Officer (OClO) po licies, standards, and procedures. In accordance with the\n    identified ri sk rating, the so lut ion shall sat isfy the appropri ate security controls as defined in\n    FIPS 200 and NIST-SP 800-53, entitled " Recolllmended Securit y Contro ls for Federal\n    Information Systems and Organizations."\n\nAs part of the planning process and as part of the PIN re-engineering, fi ve Technical Proofs of\nConcept (TPOCs) were conducted as a cost effect ive means to test feasib ility and sca labi lity of\nproposed architecture and functionality. The T POCs demonstrated that: ( 1) scaling up the\nexisting infrastructure for over 100 million users is viable; (2) fo rms based authen ticati on is\nfeasible fo r legacy systems; (3) Federated Identi ty Management can be implemented; (4)\nintegration with a commercial eS ignature appliance is possible and (5) it is feasible to seamlessly\nintegrate with legacy applications.\n\n\n                                                    2\n\n\x0cThe current focus of the ElMS initiative is to complete the acquisition and finalize a contract for\nPIN Re-engineering and Replacement by late September 2013. Once the award is made, the\nvendor and the FSA Integrated Project Team will begin the re-engineering and replacement of\nPIN with two to three months of requirements defini tion, refinement and validation.\n\nThe following responds to each of your specific recommendations.\n\nOIG Recommendation\n\n    I. Require PIN owners to (b)(7)(E)\n\nFSA Res ponse\n\nThe new system wi ll require (b)(7)(E)\n\n\nOIG Recommendation\n\n   2. Provide (b)(7)(E)\n\n\nFSA Response\n\nAs noted above, the new system includes (b)(7)(E)\n\n\n\nWe are sensitive to the fact that inquiri es regarding PINs, passwords and forgotten chal len ge\nresponses are typically among the highest trend ing questions at the Federal Student Aid\nInformation Center (FSAIC).\n\nOIG Recommendation\n\n   3. Notify PIN owners of (b)(7)(E)\n                                In addition, ensure that (b)(7)(E)\n\n\nFSA Response\n\n(b)(7)(E)\n\n\n\n\n                                                 3\n\n\x0cO IG Reco mmend atio n\n\n    4. (b)(7)(E)\n\n\n\n\nFSA Res ponse\n               (b)(7)(E)\n\n\n\n\n(b)(7)(E)\n\n\n\nD IG Reco mm end :ltion\n\n    5. Research and consider (b)(7)(E)\n                                                       when PfN and FAFSA accounts are\n        initially established.\n\nFSA Res ponse\n\nFSA will rescarch and consider other options, such as those listed above.\n\nIn addition to the forma l recommendations, we will also address other suggest ions contained in\nthe draft report.\n\nD IG Suggestio n\n\nThe OIG suggests that FSA consider developing a capabili ty to cnable studcnts to permit\ncompanies providi ng loan-re lated services read-on ly access to relevant areas or their accounts\nthat do not contain sensitive personal informat ion.\n\n\n\n\n                                                 4\n\x0cFSA Response\n\nFSA does not agree with the OIG \' s suggestion. In November 2012 and April 2013 , FSA\ndeployed " MySt udentData Download" functionality fo r the National Student Loan Data System\n(NSLDS) and the FAFSA, respectively. These capabilities were deve loped in support of the\nWhite House Office of Science and Technology Policy\'s initiative, which strives to make\neducation-related data available, machine-readable, and accessible whi le protecting the privacy\nof the student\'s personal information. A goal of the initiative is to empower students to\nelectronically obtain, store, and if they so dec ide, to share their information with others while\nsafeguarding personally identifiable in for mation.\n\nFor NSLDS , the student can, with one sim ple acti on, download a simple text file that includes\nthe student \'s Title IV loan and grant information (e.g. , award amounts, disbursement amounts\nand dates). For FAFSA information, students are able to download their processed FAFSA data.\n\nFor both app licat ions, the student may choose to share the downloaded information with third\nparties that provide assistance with various higher education decisions (e.g., how to pay for an\neducation, and how to manage debt if they use loans to fund their education.) Since the\ninformation provided by the student to a third party is not direct ly from the FSA system that\nmaintains the data, the third party does not have access to those systems and cannot change or\nupdate any of the in format ion. Those capabilities remain so lely wi th the student.\n\nThe file layouts for the FAFSA and NSLDS downloads are included in the e-annoullcement\nbelow. The layouts/data elements were approved by Office of the General Counsel prior to\nimplementation.\n\nhttp://ifap.ed.gov/eannouncements/ l1 I 3 12UpcomingMySIudeniDalaDownloadFuilciioil 13 14FO\nTWDraftFileLavout.html\n\nhIIP:I/ifap.ed.gov/eannolltlccments/08 1612M y DataButton LJ pcom ing l mplementat ion .hlml\n\nIn summary, FSA believes tbat there is no reason to allow any party, other than the student, to\nbave direct access (read -onl y or otherwise) to the student\' s FSA information. Any legitimate\nobjectives for the OIO recommendation are met by the "MyS tudentData Download"\nfunctiona lit ies discussed above.\n\nOIG Suggestion\n\nThe OIG suggests FSA consider creating preparer-spec ifi c access accounts that wou ld allow a\nstudenl to authorize a pre parer to access and modify certain sections of the FAFSA.\n\nFSA Response\n\nFSA does not agree wi th the O IG\'s suggestion. We believe such access to an applicant \' s\nfile/data \\.vould comprom ise the integrity of the Title IV student aid application process. The\n\n                                                 5\n\n\x0cstudent andlor parent maintain complete accountability for the information reported and used to\ndetermine eligibility for federal student aid.\n\nIn our opinion, it would be contrary to the intent of the Higher Education Act of 1965 (as\namended) if FSA provided this type of access to these third parties. It is the applicant that\nsubmits the data for the FAFSA. The extensive "smart-logic" o[the FAFSA on the Web product\nmaintains the applicant \' s control of their personal data and FAFSA submissions.\n\nBased on the capability provided through MySt udentData Download, described above, FSA\nbelieves that there is sufficient access to the necessary information for counseling and other\nadvisory activities.\n\nThank yo u again for the opportunity to share our progress and respond to your recommendations\nand suggestions.\n\n\ncc: \t Dawn Dawson, Audit Liaison Officer\n      Linda Hall , Internal Review Officer\n      Fred Anderson, Chief Risk Officer\n\n\n\n\n                                                 6\n\n\x0c'